Little Snitch and Code Signing

Little Snitch is a third party security application for Mac. Most Little Snitch users have no problems, but some see a reported code signing mismatch with our application, with messages such as:

"Code signature mismatch detected. The running process differs from the version on disk. It has no code signature, but the disk version does."

Again, most Little Snitch users do not see this. Given that SpiderOak One and Groups is accepted by most installations of Little Snitch, this appears to be an issue with that application and not with One or Groups.

As background information, the purpose of code signing is to verify that the installer that you have downloaded is indeed from us and has not been tampered with by malicious third parties. Code signing is not the only way you can verify this, however. We encourage anyone seeing this warning, or indeed anyone who simply wishes to be doubly sure, to compare the SHA-256 hash of what you downloaded to our installer's published hash. To do that:

Find the SHA-256 hash for the version of SpiderOak One or Groups that you downloaded, which we publish in the release notes. For example, there you will see that the SHA-256 hash for SpiderOak One 6.4.0 for Mac 10.13 High Sierra is aff9fd77d2af05ee122ef12a4bb62ee74089bbcda5f3506bd4e3aeffc72f892c.

Usually it is sufficient to instruct Little Snitch to ignore the presumably erroneous code signature mismatch on this software, after of course verifying the hash as described above. You should also disable LAN-Sync in SpiderOak One or Groups. Once those things are done there should be no further warning messages or interruptions.